Email this article to a friend

Cyber workers control their future as skillsets converge

Thursday - 10/24/2013, 12:37pm EDT

Commentary by Earl CraneSenior Principal at Promontory Financial Group
& former member of the White House National Security Staff

Industry and government adoption of revolutionary technologies, such as cloud and
mobile computing, and the increased interdependency between information service
delivery and business success is reshaping how managers look at information
security. Increasingly, sophisticated threats target both businesses and the
federal government for disruption and espionage.

Earl Crane

The federal government is looking to increase the efficiency and effectiveness of
its cybersecurity programs. It has a long history of grappling with advanced
cybersecurity threats, and has developed sophisticated capabilities to understand
and mitigate cybersecurity risks. Industry, meanwhile, is driven to focus on cost-
effective solutions through sound bottom-line arguments and market forces to push
for efficiency for business competition in a way that government struggles to
match.

Leaders in both government and industry, in short, have discovered they can learn
a lot from each other.

One result of this growing focus on government-industry cybersecurity
collaboration was the Aug. 20 report on Secure Government
Communications by the President's National Security Telecommunications Advisory
Committee (NSTAC). At the request of the White House Cybersecurity National
Security Staff, this report investigated how to improve federal government
information security based on industry best practices, approaches and
perspectives.

While the lack of cybersecurity talent is a concern for national security and U.S.
competitiveness as a whole, it is promising news for cybersecurity professionals
seeking mobility in the workforce as their skills are in demand. According to a
recent Cyber Security Census from Semper Secure, Washington is
emerging as an epicenter of cybersecurity talent. The D.C. metro area is tied with
California for the highest concentration of cybersecurity professionals — at
19 percent each — and D.C. scored higher as a center of cybersecurity
innovation — 44 percent versus California's 33 percent.

As senior members of the federal workforce retire, new positions will open up for
cybersecurity professionals. Additionally, as mid-career federal cybersecurity
professionals look to industry to broaden their skill sets, they will find demand
for their government cybersecurity skills in the private sector. Both businesses
and government organizations willing to seek cybersecurity expertise outside of
their traditional industry-specific workforce will find candidates with
increasingly fungible cybersecurity skills. Drawing from the NSTAC
recommendations, we can highlight three key crossover skill sets:

Risk Management

Federal employees with experience implementing the NIST Risk
Management Framework may see increasing demand as industry looks to implement
and improve their risk management program. The collaborative development process
around the critical infrastructure cybersecurity framework is building a
common conversation about how to effectively measure and manage cybersecurity
across industry sectors.

Any risk management calculus must incorporate cybersecurity into the business
decision making process. Data breach and denial of service can no longer be viewed
merely as "IT issues," and must instead be just as much a part of the business'
risk calculations as logistics breakdowns, strikes and overseas conflicts.

Companies will need professionals capable of translating highly technical concerns
into actionable business strategy. The increased use of sector-specific maturity
models to measure companies' security program capabilities will provide
flexibility for innovative cybersecurity defenses that static checklists cannot.
The expertise required to perform these functions us both scarce and highly
transferable between industries and will be in high demand.

Threat Intelligence

An ever-growing number of businesses are recognizing the value in situational
awareness delivered by intelligence capabilities. Increasingly sophisticated
actors penetrate companies with intentionally targeted objectives, rather than
targets of opportunity. Businesses, therefore, need to be proactive in their
defense, by assessing and understanding what their adversaries will most likely
target based on their current business operations, defensive profile and global
geo-political environment.

Globalized connectivity has brought adversaries from around the world to your
organization's doorstep, and that is part of the new reality. Many federal agency
CIOs get this and have integrated cybersecurity threat intelligence into their
defensive plans. However, more must be done.

Threat intelligence is no longer a boutique offering for a select few
organizations. Increasingly it is a relevant consideration for situational
awareness across government and industry business lines. Dedicated cyber threat
analysts must have real-time actionable information and an understanding of
business operations and impact. A recent report from the Ponemon Institute
highlighted this fact, citing optimal times for near-real-time intelligence as no
greater than 4.6 minutes.

As business practices, information technology and cybersecurity threats become
more industry-agnostic, competition across and between industries for
cybersecurity professionals will remain fierce. Though professionals will be in
short supply for years to come, increased mobility among industries and government
will bring a leveling of common cybersecurity skills across the profession.

Earl Crane, Ph.D., is an expert in information security and cybersecurity
strategy and policy. He is a senior principal at Promontory Financial Group, a
global consulting firm that helps companies and government around the world manage
complex risk and meet their greatest regulatory challenges. Dr. Crane was
previously
a member of the White House National Security Staff, where he advised the
president
on cybersecurity policy.